For all organizations that process payment cards, the Payment Card Industry Data Security Standard (PCI DSS) certification is crucial for data security and compliance. The PCI DSS is an information security standard defined for organizations that manage branded credit card transactions.

The PCI DSS aims to provide a foundation of controls, recommending a baseline level of security for merchants and service providers who store, process, and transmit payment card data. Although the PCI Council has no legal authority to compel compliance, failing to implement PCI compliance requirements and not holding the PCI DSS certification means credit card companies will not allow you to process their payment cards, and you could be fined.

Background of PCI DSS

In 2004, major credit card companies – Visa, MasterCard, Discover, American Express, and JCB International – collaborated to release PCI DSS version 1.0, the first payment card industry standard to ensure online sellers have systems and processes to prevent payment card data breaches. These companies formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006, which manages the ongoing evolution of PCI DSS. The latest version, PCI DSS 4.0, was released in 2024.

PCI DSS is structured into 12 significant requirements and multiple sub-requirements that contain numerous directives against which businesses can measure their payment card security procedures and guidelines. The requirements cover various aspects of securing cardholder data, from building and maintaining a secure network to implementing strong access control measures.

Four Steps to Achieve PCI DSS Certification

There are four sequential steps on the pathway to PCI compliance. Following these steps and closely adhering to the guidelines will result in a clean bill of health for your organization when it comes to PCI DSS compliance.

Step One: Learn the 12 PCI Certification Standards

To achieve PCI DSS certification, organizations must comply with 12 core requirements that are distributed across six broader goals. Each requirement is further broken down into sub-requirements, totaling approximately 251 directives that organizations must adhere to. Here is an in-depth look at these requirements:

By following these detailed standards and implementing the necessary controls, organizations can achieve PCI DSS certification and significantly enhance their cybersecurity posture. For comprehensive details on PCI DSS requirements, organizations can refer to the PCI Security Standards Council’s official website.

Step Two: Identify Your Organization’s Compliance Requirements

Determining your PCI DSS validation requirements involves understanding the volume of payment card transactions your organization processes annually. This classification helps in defining the specific compliance steps and documentation needed to achieve and maintain PCI DSS certification. Here is a detailed breakdown of the levels and their corresponding requirements:

PCI DSS Compliance Levels

Level 1: More than 6 million transactions per year

• Who This Applies To: Large merchants and service providers processing over 6 million card transactions annually.
• Validation Requirements:
  • Annual Report on Compliance (ROC): This is a detailed assessment conducted by a Payment Card Industry Qualified Security Assessor (PCI QSA). The ROC involves an extensive on-site audit of the organization's security controls, policies, and procedures.
  • Quarterly Network Scans: These scans must be performed by an Approved Scanning Vendor (ASV) to identify vulnerabilities.
  • Annual Attestation of Compliance (AOC): This document, completed by the PCI QSA, attests that the organization is compliant with PCI DSS requirements.

Level 2: 1 million to 6 million transactions per year

• Who This Applies To: Medium-sized merchants and service providers processing between 1 million and 6 million card transactions annually.
• Validation Requirements:
  • Self-Assessment Questionnaire (SAQ): This is a self-validation tool to assess security for cardholder data. The SAQ consists of yes-no questions for each PCI DSS requirement that is applicable to the organization.
  • Quarterly Network Scans: These scans must be conducted by an ASV to ensure ongoing compliance.
  • Annual Attestation of Compliance (AOC): This document attests that the organization has met the necessary PCI DSS requirements.

Level 3: 20,000 to 1 million transactions per year

• Who This Applies To: Smaller merchants processing between 20,000 and 1 million card transactions annually.
• Validation Requirements:
  • Self-Assessment Questionnaire (SAQ): Similar to Level 2, this involves filling out a questionnaire to assess the implementation of required security measures.
  • Quarterly Network Scans: Conducted by an ASV to detect and address vulnerabilities.
  • Annual Attestation of Compliance (AOC): Attestation that the organization is compliant with PCI DSS standards.

Level 4: Fewer than 20,000 transactions per year

• Who This Applies To: Small merchants processing fewer than 20,000 card transactions annually.
• Validation Requirements:
  • Self-Assessment Questionnaire (SAQ): Although not always mandatory, it is highly recommended that Level 4 merchants complete the SAQ to self-validate their compliance with PCI DSS.
  • Quarterly Network Scans: Recommended but not mandatory for all Level 4 merchants unless required by the acquiring bank.
  • Annual Attestation of Compliance (AOC): This document is completed to confirm the organization’s compliance status, even though it may not be required for all Level 4 merchants.

Self-Assessment Questionnaire (SAQ)

The SAQ is a critical tool for smaller merchants (Levels 2, 3, and 4) to validate their PCI DSS compliance. The SAQ is an essential tool for merchants to validate their compliance with PCI DSS standards. There are several types of SAQs, each tailored to specific business scenarios and transaction methods. It is crucial for merchants to determine which SAQ type applies to their operations to accurately assess and demonstrate their compliance. This covers various aspects of PCI DSS requirements, tailored to several types of merchants and service providers. The questions focus on key areas such as data protection, access control, and vulnerability management.

SAQ Types and Their Applicability

SAQ A: Card-Not-Present (e-commerce or mail/telephone order) Merchants

• Applicability: This SAQ is designed for merchants that outsource all cardholder data functions to third-party service providers and do not store, process, or transmit any cardholder data on their systems or premises.
• Requirements: Focus on ensuring that the third-party service providers are PCI DSS compliant and that the merchant maintains a secure environment for any physical storage of paper records.
• Example: An online store that uses a third-party payment processor for all transactions and does not store any cardholder data on its servers.

SAQ A-EP: E-commerce Merchants Using a PCI DSS Compliant Third-Party Payment Processor

• Applicability: For e-commerce merchants that partially outsource their payment processing to a third-party but have a website that directly receives cardholder data and then redirects it to the payment processor.
• Requirements: Ensure that the website and any related systems are secure and compliant with PCI DSS standards.
• Example: An online store that captures cardholder data on its website before securely transmitting it to a third-party payment processor.

SAQ B: Imprint-Only Merchants with No Electronic Cardholder Data Storage

• Applicability: For merchants using standalone, dial-out terminals (not connected to other systems) or imprint machines that do not store cardholder data electronically.
• Requirements: Focus on the security of the physical devices and processes used to manage cardholder data.
• Example: A small retail shop using a manual card imprinter or a standalone terminal to process payments.

SAQ B-IP: Merchants Using Standalone, PTS-Approved Payment Terminals

• Applicability: For merchants using standalone, point-to-sale (POS) terminals that are Payment Card Industry PIN Transaction Security (PTS) approved and have no electronic storage of cardholder data.
• Requirements: Similar to SAQ B but specifically for PTS-approved devices, ensuring they are securely managed.
• Example: A restaurant using standalone POS terminals to process payments without storing cardholder data electronically.

SAQ C-VT: Merchants Using Only Web-Based Virtual Terminals

• Applicability: For merchants that manually enter a single transaction at a time using a virtual terminal on a web browser, without electronic cardholder data storage.
• Requirements: Ensuring the security of the virtual terminal environment and the computer used to access it.
• Example: A mail-order business entering transactions through a web-based virtual terminal provided by their payment processor.

SAQ C: Merchants with Payment Application Systems Connected to the Internet

• Applicability: For merchants with standalone payment systems connected to the internet but not part of a more extensive network.
• Requirements: Ensuring the security of the payment application system and its environment, including network security and access controls.
• Example: A small retail store using a POS system that connects to the internet for payment processing but is not integrated with other systems.

SAQ P2PE: Merchants Using Only Approved Point-to-Point Encryption (P2PE) Solutions

• Applicability: For merchants using PCI SSC-approved P2PE solutions, which ensure that cardholder data is encrypted from the point of capture.
• Requirements: Focus on the secure management of the P2PE solution and ensuring that it remains compliant.
• Example: A retail chain using P2PE-approved terminals to encrypt cardholder data immediately upon entry.

SAQ D for Merchants: All Other Merchants Not Included in SAQ Types A through C

• Applicability: For merchants that do not fit into the specific categories of other SAQs, typically involving more complex environments that store, process, or transmit cardholder data.
• Requirements: Comprehensive coverage of all PCI DSS requirements, including those related to network security, access controls, monitoring, and testing.
• Example: A large e-commerce platform storing customer payment information or a multi-location retail chain with integrated payment systems.

SAQ D for Service Providers: Service Providers Eligible to Complete an SAQ

• Applicability: For service providers that store, process, or transmit cardholder data on behalf of other organizations and are eligible to complete an SAQ.
• Requirements: Extensive requirements covering all aspects of PCI DSS compliance applicable to service providers.
• Example: A cloud hosting provider offering secure payment processing services to multiple merchants.

Determining the Appropriate SAQ Type

To determine the appropriate SAQ type, merchants should:

• Assess Transaction Methods: Review how payment card data is managed, including the methods of data capture, processing, and storage.
• Identify System Components: Identify all systems and networks involved in the payment processing workflow.
• Evaluate Third-Party Dependencies: Consider the role of third-party service providers in the payment processing chain.
• Consult with Acquiring Bank: If unsure, consult with your payment card vendor or acquiring bank for guidance on the appropriate SAQ type.

By selecting the correct SAQ type and accurately completing it, merchants can ensure they meet the necessary PCI DSS requirements, thereby safeguarding cardholder data and maintaining compliance. For detailed guidelines on each SAQ type and supporting documents, refer to the PCI Security Standards Council’s official website.

Attestation of Compliance (AOC)

The Attestation of Compliance (AOC) is another crucial component of the PCI DSS certification process. This form serves as an official statement that an organization has completed the Self-Assessment Questionnaire (SAQ) and meets all applicable PCI DSS requirements. The AOC must be signed by an authorized officer of the organization, typically someone in a senior management position who has the authority to attest to the accuracy and completeness of the compliance efforts. The AOC is designed to:

• Confirm Compliance: Verify that the organization has thoroughly completed the SAQ and implemented all necessary security measures to comply with PCI DSS requirements.
• Provide Assurance: Offer assurance to acquiring banks, payment card brands, and other stakeholders that the organization is committed to maintaining a secure environment for cardholder data.
• Document Accountability: Ensure that an accountable person within the organization takes responsibility for the accuracy of the compliance validation.

To complete the AOC, organizations should follow these steps:

• Conduct the SAQ/ROC: Thoroughly complete the Self-Assessment Questionnaire (SAQ) or engage a Qualified Security Assessor (QSA) to perform a Report on Compliance (ROC).
• Gather Evidence: Collect and organize all necessary documentation and evidence to support the compliance status. This may include policies, procedures, network diagrams, vulnerability scan results, and more.
• Review Findings: Ensure that all PCI DSS requirements are met and address any areas of non-compliance through remediation efforts.
• Prepare the AOC: Fill out the AOC form with accurate and detailed information about the assessment, scope, findings, and compliance status.
• Obtain Signatures: Have the AOC signed by an authorized officer of the organization. If a QSA conducted the assessment, ensure the QSA also provides their validation and signature.
• Submit the AOC: Submit the completed and signed AOC to the acquiring bank, payment card brand, or other relevant stakeholders as required.

Step Three: Ease Your Pathway to PCI Certification through Preparation

Preparation is key to achieving PCI DSS certification. Break down the operational requirements into manageable parts:

• Risk Assessment/Audit/Security Assessment: Conduct a detailed risk assessment to identify threats and vulnerabilities to payment card assets and services.
• Policies and Procedures: Develop a set of policies and procedures based on the risk assessment findings to address PCI DSS requirements tailored to your business processes and security controls.
• Gap Analysis: Review PCI DSS requirements to identify any compliance gaps and establish a remediation plan. Consider having a PCI QSA perform an independent gap analysis as a "practice run" to ensure no requirements are missed.

Step Four: Complete a Self-Assessment Questionnaire or Hire a PCI QSA

To achieve PCI DSS certification, organizations must either complete a Self-Assessment Questionnaire (SAQ) or hire a Payment Card Industry Qualified Security Assessor (PCI QSA) to conduct an audit. The specific requirements depend on the organization's transaction volume and corresponding PCI DSS level.

• Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC): For Levels 2, 3, and 4, fill out the SAQ to self-assess security for cardholder data. After completing the SAQ, fill out the AOC to attest to the results of the PCI compliance assessment.
• Report on Compliance (ROC) and Attestation of Compliance: For Level 1 merchants, a PCI QSA must complete the ROC after conducting an annual PCI compliance audit. The ROC and AOC serve as proof of PCI DSS certification.

Role of the Payment Card Industry Qualified Security Assessor (PCI QSA)

For large merchants (Level 1), hiring a PCI QSA is mandatory. The QSA is a certified cybersecurity professional authorized to conduct PCI DSS audits. Their role includes:

• Conducting On-Site Assessments: QSAs perform thorough evaluations of the organization’s security measures, including policies, procedures, and technical controls.
• Identifying Gaps: They identify areas where the organization does not meet PCI DSS requirements and recommend necessary remediation steps.
• Providing Reports: QSAs prepare the Report on Compliance (ROC) and the Attestation of Compliance (AOC), which document the organization’s compliance status.

Demonstrating PCI Certification to Customers

Achieving PCI DSS certification is a significant accomplishment that demonstrates your commitment to securing payment card data. Once certified, it is crucial to inform your customers to assure them of your capability to manage the risks associated with handling sensitive payment card information. Here are detailed steps and strategies to effectively communicate your PCI DSS certification to your customers using the Attestation of Compliance (AOC) and Report on Compliance (ROC):

Attestation of Compliance (AOC)

• What It Is: The AOC is a formal declaration that your organization has successfully completed the Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC) and meets all applicable PCI DSS requirements.
• How to Use It: Display the AOC on your company’s website, particularly on pages related to payment and security information. This document serves as a transparent confirmation of your compliance efforts.

Report on Compliance (ROC)

• What It Is: The ROC is a detailed report completed by a PCI Qualified Security Assessor (QSA) following an in-depth audit of your organization’s security measures. It provides comprehensive documentation of your compliance status.
• How to Use It: While the full ROC may contain sensitive information and should not be shared publicly, you can provide excerpts or summaries to stakeholders upon request. Include key points that highlight your security measures and compliance achievements.

Benefits of PCI DSS Certification

Achieving PCI DSS certification not only allows you to process payment cards but also lays the foundation for robust cybersecurity practices, protecting your organization from cyberattacks targeting payment card information. As one of the original PCI QSA firms, ERM Protect leverages over 26 years of experience in payment card compliance, IT security, and data protection to secure your payment data, protect your business, and manage costs and risks.

To speak to one of our PCI DSS certification experts, please call 305-447-6750 or email [email protected].